yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92950
[Bug 2039464] [NEW] disallowed by policy error when user try to create_port with fixed_Ips
Public bug reported:
OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN
I have setup RBAC policy on my external network and here is the policy.yaml file
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
I have RBAC setup on following network to allow access to specific
project to access network.
# openstack network show public-network-948
+---------------------------+----------------------------------------------------------------------------+
| Field | Value |
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2023-09-01T20:31:36Z |
| description | |
| dns_domain | |
| id | 5aacb586-c234-449e-a209-45fc63c8de26 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1500 |
| name | public-network-948 |
| port_security_enabled | True |
| project_id | 1ed68ab792854dc99c1b2d31bf90019b |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 9 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | d36886a2-99d3-4e2b-93ed-9e3cfabf5817, dba7a427-dccb-4a5a-a8e0-23fcda64666d |
| tags | |
| tenant_id | 1ed68ab792854dc99c1b2d31bf90019b |
| updated_at | 2023-10-15T18:13:52Z |
+---------------------------+----------------------------------------------------------------------------+
When normal user try to create port then getting following error:
# openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=204.247.186.133 test1
ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
openstack in debug output: https://pastebin.com/act1n7cv
Reference Bug:
https://bugs.launchpad.net/neutron/+bug/1808112
https://bugs.launchpad.net/neutron/+bug/1833455
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2039464
Title:
disallowed by policy error when user try to create_port with fixed_Ips
Status in neutron:
New
Bug description:
OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN
I have setup RBAC policy on my external network and here is the policy.yaml file
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
I have RBAC setup on following network to allow access to specific
project to access network.
# openstack network show public-network-948
+---------------------------+----------------------------------------------------------------------------+
| Field | Value |
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2023-09-01T20:31:36Z |
| description | |
| dns_domain | |
| id | 5aacb586-c234-449e-a209-45fc63c8de26 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1500 |
| name | public-network-948 |
| port_security_enabled | True |
| project_id | 1ed68ab792854dc99c1b2d31bf90019b |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 9 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | d36886a2-99d3-4e2b-93ed-9e3cfabf5817, dba7a427-dccb-4a5a-a8e0-23fcda64666d |
| tags | |
| tenant_id | 1ed68ab792854dc99c1b2d31bf90019b |
| updated_at | 2023-10-15T18:13:52Z |
+---------------------------+----------------------------------------------------------------------------+
When normal user try to create port then getting following error:
# openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=204.247.186.133 test1
ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
openstack in debug output: https://pastebin.com/act1n7cv
Reference Bug:
https://bugs.launchpad.net/neutron/+bug/1808112
https://bugs.launchpad.net/neutron/+bug/1833455
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2039464/+subscriptions
Follow ups
